If you run an MSP or MSSP, this problem is familiar: the renewal quote comes in higher than last year, a small customer is too small to reach the vendor's minimum, or a feature you thought was included appears as a separate line on the invoice.
Two providers can look identical in a demo and behave completely differently on the invoice. One lets you onboard a 40-asset customer and pay for 40 assets. The other makes you buy a 300 or 500-asset minimum, so you carry the cost of 260 assets you will never bill.
The five licensing terms that decide your margin
Vulnerability management pricing is rarely as simple as a price per asset. Most platforms look similar on the surface, but the difference for a service provider shows up in five places.
1. Asset minimums
This is the big one. Many platforms set a floor on how many assets you can license at a time. Common minimums sit at 300 or 500 assets.
For an MSP, a minimum is an extra cost on every small customer. If your average new customer has 40 assets and the floor is 300, you either pay for 260 assets you can't use or you turn the deal away.
What to look for: a model that starts at the first asset, with no floor. That's what makes small and mid-market customers profitable to onboard instead of something you turn away.
2. How an “asset” is counted, and what happens when you exceed it
Not all platforms count assets the same way. Some count every visible thing: temporary cloud instances, decommissioned servers still sitting in a database, dormant accounts. The meter creeps up, and so does the bill.
Then there's overage behavior. Some platforms respond to going over your count by reducing functionality in stages. Others simply bill you for the overage.
What to look for: a clear, documented definition of what counts as an asset, predictable behavior when your count changes, and no punitive throttling mid-contract.
3. What's included versus what's an add-on
Read any vulnerability management price list closely and you'll often find the platform is only the start. Web application scanning, cloud security, identity coverage, single sign-on, and connectors can each sit on a separate line, sold separately.
For an MSP, every add-on reduces your margin. You quoted your customer a price based on the platform. Then the capabilities you need to actually deliver the service turn out to cost extra.
What to look for: an everything-included model, where the capabilities you need to run the service are part of the license, not extras that erode what you keep.
4. Billing model: seats bought up front, or real usage
Traditional licensing asks you to buy capacity in advance. You commit to a block of seats or assets, then go sell them. Until you do, you're carrying cost with no revenue against it.
Usage-based billing works the other way. You pay monthly on the assets you're actually managing across all your customers. New customer, new usage, new revenue, all in step.
What to look for: monthly billing on real usage across your whole book, so you never pay for a seat before you've sold it.
5. Renewal terms
This is the one that surprises MSPs a year later. Many vulnerability management subscriptions renew with a year-over-year price increase unless you actively negotiate it down. The high cost of changing vendors makes it worse: once your customers are onboarded, the vendor knows moving is painful, and the renewal quote reflects that.
The result is a slow margin squeeze. Your costs climb every renewal cycle while your end-customer prices stay put, because nobody wants to tell a customer their price is going up again.
What to look for: transparent, predictable renewals with no automatic increases, and billing terms that don't punish you for staying.
What good MSP vulnerability management looks like
Our platform assumes you're a true MSP running a book of business, not a single company securing one environment. It is multi-tenant by design, so you manage every customer from one place. You start at the first asset, bill monthly on real usage across all your customers, and get one unified platform with everything included.
And because Holm Security is hosted entirely in Europe, data residency becomes something you can sell, not just something you tick. For partners serving regulated and public-sector customers under NIS2 and GDPR, a European-hosted platform is an argument you can put in front of your own customers with confidence.
The result is simple: small customers are profitable, growth is predictable, and your margin stays yours.
FAQ
What is the best vulnerability scanner for MSPs?
The best vulnerability scanner for an MSP is one whose licensing fits a multi-customer business: no asset minimum, usage-based monthly billing, everything included, and predictable renewals. Scan quality matters, but licensing is what decides whether the service is profitable across your whole book.
Why is vulnerability management important for MSPs?
Vulnerability management lets an MSP find and prioritize security weaknesses across every customer environment before attackers do, which is central to the security service customers pay for. For the MSP, it is also a recurring revenue line, so the platform's licensing model directly shapes how profitable that service is.
What's the most common licensing trap for MSPs?
Asset minimums. A 300 or 500-asset floor forces you to pay for capacity you can't bill when onboarding small customers, quietly making parts of your book unprofitable.
What is usage-based licensing for MSPs?
Usage-based licensing means you pay monthly for the assets you're actively managing across all your customers, rather than committing to a block of seats up front. It keeps cost in step with revenue.
What is a good asset minimum for an MSP vulnerability management platform?
The best minimum for an MSP is none. A model that starts at the first asset lets you onboard small customers profitably, instead of paying for a 300 or 500-asset floor you can't bill.
Why do add-ons matter so much for MSPs?
Because you set a fixed price for your end customer. Every capability that turns out to cost extra, like single sign-on or connectors, comes straight out of your margin.
How do MSPs avoid renewal price increases on security tooling?
Choose a vendor with transparent, predictable renewal terms and no automatic year-over-year increases, and favor month-to-month usage billing over large up-front commitments that raise your switching costs.
Does Holm Security have an asset minimum?
No. Holm Security's model starts at the first asset, with monthly billing on real usage across your whole book of customers.
Interested in how Holm Security's model works for your MSP or MSSP business?
Explore the Holm Security Partner Program →